New Republican Privacy Bill Would Expand Scope of “Sensitive” Data

Representative Marsha Blackburn (R-TN) has introduced a bill, the “Balancing the Rights of Web Surfers Equally and Responsibly Act of 2017” (“BROWSER Act,” H.R. 2520) that would create new online privacy requirements. The BROWSER Act would require both ISPs and edge providers (essentially any service provided over the Internet) to provide users with notice of their privacy policies, obtain opt-in consent for sensitive data, and opt-out consent for non-sensitive data. In its current form, the BROWSER Act would define sensitive data more broadly than in existing FTC guidelines—mirroring the since-repealed privacy rules that the FCC adopted last year for ISPs, but applying those standards to ISPs and edge providers alike.

The BROWSER Act defines “sensitive user information” to include financial information, health information, children’s data, social security numbers, precise geo-location information, contents of communications, and, most notably, web browsing or app usage histories. ISPs and edge providers must obtain “opt-in approval” from users prior to using, disclosing, or permitting access to such sensitive information. For “non-sensitive user information,” the BROWSER Act requires opt-out consent. And companies may not condition the provision of services, or otherwise refuse services, based on the waiver of privacy rights under the BROWSER Act.

The bill contains several exceptions to these opt-in and opt-out consent requirements. First, consent is not required for uses of the data to provide the service or other services “necessary to, or used in, the provision of such services.” Second, consent is not required for billing uses or to protect the rights, property, or users of the services from fraud, abuse, or unlawful use, or as otherwise required by law. Third, location information or non-sensitive data may be used without consent for certain public safety or emergency purposes.

The BROWSER Act provides for enforcement by the FTC as an unfair or deceptive act or practice “notwithstanding” the common carrier exemption in the FTC Act. It expressly preempts any State laws “relating to or with respect to the privacy of user information” with respect to providers of covered services. And it also preempts Communications Act laws or regulations relating to “privacy policies, terms of service, and practices” covered by the BROWSER Act, other than emergency services regulations.

The BROWSER Act has been referred to the House Committee on Energy and Commerce, and it is unclear whether it has any chance of enactment in its current form. Blackburn is the chairman of the House Subcommittee on Communications and Technology, but Senate Commerce, Science & Transportation Chairman John Thune (R-SD) has indicated that he does not plan to introduce companion legislation in the Senate.

About the Covington Data Privacy and Cybersecurity group

Repeatedly ranked as having one of the best privacy practices in the world, Covington combines exceptional substantive expertise with an unrivaled understanding of the IT industry, and of e-commerce and digital media business models in particular. Read More